Skip to content

Commit

Permalink
Let runc write to /exec.fifo
Browse files Browse the repository at this point in the history
Sample Falco alert:

```
File below / or /root opened for writing (user=<NA>
command=runc:[1:CHILD] init parent=docker-runc-cur file=/exec.fifo
program=runc:[1:CHILD] CID1 image=<NA>)
```

This github issue provides some context:
opencontainers/runc#1698

Signed-off-by: Mark Stemm <[email protected]>
  • Loading branch information
mstemm authored and poiana committed Feb 3, 2020
1 parent 7794e46 commit 01c9d8b
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions rules/falco_rules.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -1353,6 +1353,9 @@
- macro: user_known_write_below_root_activities
condition: (never_true)

- macro: runc_writing_exec_fifo
condition: (proc.cmdline="runc:[1:CHILD] init" and fd.name=/exec.fifo)

- rule: Write below root
desc: an attempt to write to any file directly below / or /root
condition: >
Expand All @@ -1372,6 +1375,7 @@
and not galley_writing_state
and not calico_writing_state
and not rancher_writing_root
and not runc_writing_exec_fifo
and not known_root_conditions
and not user_known_write_root_conditions
and not user_known_write_below_root_activities
Expand Down

0 comments on commit 01c9d8b

Please sign in to comment.